Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[hackerone] Remove onion services from window.location.ancestorOrigins #32421

Closed
diracdeltas opened this issue Aug 21, 2023 · 3 comments · Fixed by brave/brave-core#20622
Closed

[hackerone] Remove onion services from window.location.ancestorOrigins #32421

diracdeltas opened this issue Aug 21, 2023 · 3 comments · Fixed by brave/brave-core#20622
Assignees
@fmarier
Labels
bug feature/tor OS/Desktop QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include security
Projects
Security & Privacy
Milestone
1.62.x - Release

Comments

@diracdeltas
Copy link
Member

diracdeltas commented Aug 21, 2023
edited by fmarier

The window.location.ancestorOrigins API is currently separate from any referrer interventions and so while we removed .onion hostnames from cross-origin referrers, these .onion hostnames are still visible via the ancestorOrigins API.

We should follow a similar policy as what we did on the referrer side: omit .onion origins (replacing them with "null") unless they are same-origin with the innermost frame.

Given the direction of whatwg/html#2480 and the fact that I already proposed changing the referrer in w3c/webappsec-referrer-policy#156, if Firefox ever implements this API, it will likely be done in the way that they have discussed publicly and then our implementation will be the natural way to fix this in the Tor browser too.

Originally reported on https://hackerone.com/reports/2117537 by xiaoyinl
@rebron rebron added this to Untriaged Backlog in Security & Privacy via automation Sep 15, 2023
@fmarier fmarier moved this from Untriaged Backlog to Important backlog (do these first!) in Security & Privacy Sep 19, 2023
@fmarier fmarier mentioned this issue Oct 20, 2023
Merged
25 tasks
@fmarier fmarier moved this from Important backlog (do these first!) to Pending review in Security & Privacy Oct 24, 2023
fmarier added a commit to brave/brave-core that referenced this issue Nov 3, 2023
@fmarier
Remove cross-origin .onion origins from location.ancestorOrigins (fixes
2e3cf58 
brave/brave-browser#32421)
Security & Privacy automation moved this from Pending review to Completed Nov 3, 2023
@brave-builds brave-builds added this to the 1.62.x - Nightly milestone Nov 3, 2023
@fmarier fmarier changed the title [hackerone] onion site referrer issue Remove onion services from window.location.ancestorOrigins Nov 7, 2023
@stephendonner
Copy link

Verified PASSED using

Brave | 1.62.33 Chromium: 119.0.6045.105 (Official Build) nightly (x86_64)
-- | --
Revision | f2e65ce54724df1b0d04a6f8b50ab9d97779a5b5
OS | macOS Version 14.2 (Build 23C5030f)

Steps:

  1. installed 1.62.33
  2. launched Brave
  3. clicked on the "hamburger" menu
  4. clicked on New Private Window with Tor
  5. loaded http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
  6. compared the results of the two <iframe> tests below with those from the test plan

Confirmed the results of the output match those provided in the test plan

Sub-resources, same-origin Sub-resources, cross-origin <iframe>s
Screenshot 2023-11-07 at 4 04 32 PM Screenshot 2023-11-07 at 4 05 28 PM

mherrmann pushed a commit to brave/brave-core that referenced this issue Nov 9, 2023
@fmarier @mherrmann
Remove cross-origin .onion origins from location.ancestorOrigins (fixes
5bd0f25 
brave/brave-browser#32421)
@LaurenWags LaurenWags changed the title Remove onion services from window.location.ancestorOrigins [hackerone] Remove onion services from window.location.ancestorOrigins Dec 8, 2023
@MadhaviSeelam
Copy link

Verification PASSED using

Brave | 1.62.105 Chromium: 120.0.6099.71 (Official Build) beta (64-bit)
-- | --
Revision | f72c783bcd52110d026061575b4bef28ccb547f7
OS | Windows 11 Version 22H2 (Build 22621.2715)

Steps:

  1. installed 1.62.105
  2. launched Brave
  3. clicked on the "hamburger" menu
  4. clicked on New Private Window with Tor
  5. loaded http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
  6. compared the results of the two <iframe> tests below with those from the test plan

Confirmed the results of the output match those provided in the test plan

Sub-resources, same-origin Sub-resources, cross-origin <iframe>s
image image

@LaurenWags
Copy link
Member

LaurenWags commented Dec 18, 2023
edited

Verified with

Brave	1.62.112 Chromium: 120.0.6099.115 (Official Build) beta (64-bit) 
Revision	ae1e179b9884b2de2f4ba0bdea7da3beaad93ffa
OS	Linux

Verified the test plan from brave/brave-core#20622 (comment).

Steps:

  1. installed 1.62.x
  2. launched Brave
  3. clicked on the "hamburger" menu
  4. clicked on New Private Window with Tor
  5. loaded http://ixrdj3iwwhkuau5tby5jh3a536a2rdhpbdbu6ldhng43r47kim7a3lid.onion/referrer/onion.html
  6. compared the results of the two <iframe> tests below with those from the test plan

Confirmed the results of the output match those provided in the test plan

Sub-resources, same-origin Sub-resources, cross-origin <iframe>s
1 2

@LaurenWags LaurenWags added QA/In-Progress Indicates that QA is currently in progress for that particular issue QA Pass-Linux and removed QA/In-Progress Indicates that QA is currently in progress for that particular issue labels Dec 18, 2023
@LaurenWags LaurenWags mentioned this issue Jan 24, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fmarier fmarier

Labels
bug feature/tor OS/Desktop QA Pass-Linux QA Pass-macOS QA Pass-Win64 QA/Test-All-Platforms QA/Test-Plan-Specified QA/Yes release-notes/include security
Projects
Security & Privacy
  
Completed
Milestone
1.62.x - Release
Development

Successfully merging a pull request may close this issue.

Remove cross-origin .onion origins from location.ancestorOrigins brave/brave-core
6 participants
@fmarier @stephendonner @diracdeltas @LaurenWags @brave-builds @MadhaviSeelam